This is huge, make no mistake. There has never been such an exploit against PKI this big, to my knowledge. I mean it (PKI) is not a perfect system by a long way but up until now, if you were careful, then you could have a reasonable expectation of your HTTPS connection being secure.
This latest MIM attack disclosed at 25C3 has changed that, now you would have to be very careful indeed to have an expectation of privacy/confidentiallity. Make no mistake, a large portion of the blame lies at the feet of those certificate providers who are still using MD5 hashes instead of SHA. The MD5 flaw/vulnerability (that of increased likelyhood of collisions) has been know for a long time – in fact Schneiers post makes it plain that attacks against MD5 were no longer theoretical, and that was in 2005.
The thing that, to me, makes this worse is that its not just smaller certifcate authorities that are still using MD5 – Thawte and RSA Data Security are two of the biggest providers of certs and they still use MD5 (according to the presentation).
One thing that did suprise me is that the CRL that is used to check against revoked certificates is obtained from within the certifcate itself – so if you are spoofing a cert, you could theoreticaly put your own spoofed CRL in as well. Thats a pretty large whole from where I’m sitting.
Itrs worth considering this post, that points out that not all CAs use a serial number that increments and so not all are vulnerable to this attack – its a valid point but it only tales one vulnerable CA for this to work and while we do need to stop using consecutive serial numbers, I think we also need to stop using MD5 for gawd sake
Additional Note 2
SSL Blacklist (a Firefox extension) has been updated to check for certs that use MD5 as their algorithm (this doesnt mean they are bad per-se – see above note). The extension is available here